Users cast wary eye at Web services

IT professionals on an exploratory mission at last week's XML Web Services One conference here expressed keen interest in testing out new technologies to address some of their most painful application integration headaches.

But their interest was tempered by a variety of concerns, including immature and sometimes overlapping standards, the potential for differing implementations of those standards by vendors and a dearth of skills at some companies to build Web services that use standard Internet technologies such as XML and the Simple Object Access Protocol to link disparate applications.

"My nightmare would be a standards arms race," said Chet Ensign, senior director of architecture and development services in the Newark, N.J., office of LexisNexis Group. "That's what the world does not need."

One ray of hope for attendees such as Ensign was a daylong joint presentation by two of the groups working on key Web services standards -- the World Wide Web Consortium and the Organization for the Advancement of Structured Information Standards. But even though the cooperative spirit was encouraging, some users were left with just as many questions as answers.

"It confirmed to me that we're not the only ones who are confused," said Ensign, who gave a user presentation at the forum. "I think everyone outside of the small groups of security specialists who have been working on this problem are confused. We don't yet see a clear story of what the security problems are, the framework for how the security will be provided and how the individual efforts fit together."

Kevin Cronin, chief technical architect at Niteo Partners Inc., a Boston-based services firm that's owned by NEC Corp., said its clients in the financial services industry are confused about the overlap of some of the proposed security standards. And until the issues are resolved, he said, the use of Web services may be limited at the retail banking level.

Advanced security issues such as rights management are of great concern to financial services firms as well as to publishers such as LexisNexis, which manages content from a wide range of sources and must control access to meet its business obligations to its content providers and customers. Ensign said he now sees potential overlap among three standards -- Security Assertion Markup Language, Extensible Access Control Markup Language and Extensible Rights Markup Language.

"That's an expensive problem to solve if we have to invent our own solution to every single permissions issue as it comes along," Ensign said. He added that if standards are implemented by vendors in a clear and consistent way, "our customers and our external service providers can afford to implement their end of any of these service bargains."

"Having been burned several times, I still need something that's multivendor and interoperable and not driven by one or two vendors, even if they're really good ideas," agreed Stephen Whitlock, a Seattle-based enterprise security architect at The Boeing Co. "We need some assurance that it's going to work, that we can switch vendors if we need to."

Seeking Standards

Whitlock said he looks forward to the day when standards are finalized to address data security at the endpoints of a transaction, since Secure Sockets Layer protects data only during transmission.

But standards are just one piece of the Web services puzzle. Gordon Coulson, a systems architect working for Canada's Fisheries & Oceans office in Vancouver, British Columbia, said addressing the technical part may be easy compared with getting people to agree on the best approach.

Coulson said he hopes he can persuade the agency to consider using XML and SOAP to get its disparate legacy systems to talk to one another. Right now, the agency's developers use a variety of technologies, including Java, Microsoft Corp.'s .Net and Macromedia Inc.'s ColdFusion.

An IT specialist at a U.S. government agency, who asked that she not be named, said that she's investigating Web services to help with data integration of disparate enterprise resource planning systems. But right now, her agency's chief skills are in Cobol and PowerBuilder.

"They talk about Web services being easy," she said. "But the reality is it requires an entirely different set of skills from the ones that we're used to."

The complexity of the problem that Web services aim to address wasn't lost on some participants. With layers of standards continually being introduced, some users are moving forward cautiously.

"They say the infrastructure is simple to build. I'm not convinced yet," said David Rizzolo, a project manager for portal technologies at Novartis Pharmaceuticals Corp. in East Hanover, N.J.

Patrick Gannon, president and CEO of OASIS, advised companies to participate in pilots now so they will be ready to do more extensive projects as Web services standards mature over the next two years.

Defining Web Services Is No Easy Task

One presenter at last week's XML Web Services One Conference drew a laugh when she told attendees, "Ask five people to define Web services and you'll get at least six answers."

Even though Web services has been one of the technology industry's hot buzzwords for some time, that doesn't mean a clear and succinct definition has emerged.

Here's a sampling of definitions that were tossed out last week:

- "Web services standards and technologies allow us to describe and deploy applications or services on a network in a consistent way so that they can be discovered and invoked in a secure and reliable manner. A Web service is an application that uses these standards and technologies." -- Bob Sutor, director of e-business standards strategy at IBM- "What Web services are about is machine-to-machine communication. The base technology is XML and XML schema. If we want to narrow it to what types of Web service specifications are you going to be most interested in supporting -- obviously SOAP, WS-Security, XKMS [XML Key Management Specification]." -- Phillip Hallam-Baker, chief scientist at VeriSign Inc.

- "To me, when we're talking about a Web service, we're talking about taking some kind of application or series of applications and being able to make them available to people using the Internet as the transport, as the communications mechanism between the application which is calling and the other application which is responding to the call and delivering information." -- Chet Ensign, senior director of architecture and development services at LexisNexis.

"It's important to cite SOAP, WSDL and UDDI as the core of any Web services definition, as they are the key protocols. I can create software to transport XML over a socket on the Internet, but is that an interoperable Web service? No, it is not. The most compelling part of Web services is interoperability and the low technical barriers to entry, which are in turn driven by standards." -- Kevin Cronin, chief technical architect at Niteo Partners.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.